Professional Documents
Culture Documents
Virtual Systems Tech Note PDF
Virtual Systems Tech Note PDF
April 2012
OVERVIEW
Virtual systems (vsys) are unique and distinct next-generation firewall instances within a single
Palo Alto Networks firewall. Rather than deploy many individual firewalls, managed service
providers and enterprises can deploy a single pair of firewalls (high availability) and enable a
series of virtual firewall instances or virtual systems. Each vsys is an independent (virtual) firewall
that is managed separately and cannot be accessed or viewed by any other user.
Centralized management combined with role based administration means that the administrator
can control access to the device level as well as specific management functions (enable, disable,
hide) for each firewall customer or user. The flexibility and efficiencies of virtual systems present
managed service providers (MSP) and enterprises with some very attractive possibilities to
enhance business efficiencies:
Improved scalability: Once the initial physical firewall is deployed, adding or removing
customers or business groups can be done quickly and efficiently. A managed service
provider can offer differentiated security services for each of his customers while keeping
the cost and complexity down by operating from a simplified infrastructure. A large
enterprise can use virtual systems to provide next-generation firewall protection for
business groups, departments, or subsidiaries.
Lower capital expenditures: Using a single physical firewall to support multiple, distinct
customers or business units is more cost effective then buying and deploying many
physical firewalls.
Reduced operational expenditures: Fewer physical firewalls will consume smaller
amounts of rack space, fewer BTUs and less electricity. Management costs will also be
reduced, again, because there are fewer physical instances to manage.
Each Palo Alto Networks virtual system provides all of the same basic functionality that a unique
physical device supports, allowing an organization to take a menu-based approach to security
services delivery.
Physical Virtual
Supported Functionality
Appliance Systems
Application visibility and control (App-ID) Yes Yes
SSL decryption and inspection (App-ID) Yes Yes
SSH control (App-ID) Yes Yes
Custom App-ID Yes Yes
User-based control – Active Directory, LDAP, eDirectory
Yes Yes
Microsoft Exchange (User-ID)
User-based control – Citrix and Terminal services (User-ID) Yes Yes
User-based control – Captive portal (User-ID) Yes Yes
Customized user-based control – XML API (User-ID) Yes Yes
Vulnerability protection (Content-ID) Yes Yes
Virus protection (Content-ID) Yes Yes
Spyware protection (Content-ID) Yes Yes
URL filtering (Content-ID) Yes Yes
WildFire Yes Yes
Data filtering Yes Yes
File blocking Yes Yes
QoS Yes Yes
IPSec VPN (site-to-site) Yes Yes
SSL VPN (remote user access) Yes Yes
GlobalProtect Yes Yes
Logging and reporting Yes Yes
Centralized management Yes Yes
Role based administration Yes Yes
Network segmentation (security zones, VLANs, virtual routers) Yes Yes
Routing and switching (BGP, OSPF, RIP, L2, L3, mixed mode,
Yes Yes
virtual wire)
High Availability (Active/passive, Active/active) Yes Yes
PLATFORM SUPPORT
Virtual systems are available on the PA-5000 Series, PA-4000 Series and the PA-2000 Series.
You can also define administrator accounts that provide administrative or view-only access to a
single virtual system. Initially, all interfaces, zones, and policies belong to the default virtual
system (vsys1). When you enable multiple virtual systems, note the following:
Interfaces, zones, VLANs, virtual wires, and virtual routers (VR) must be assigned to a virtual
system (a virtual system column is added to the respective pages).
A virtual system drop-down list is added under the Policies and Objects tabs. Before defining
a policy or policy object, you must select the appropriate virtual system.
Remote logging destinations (SNMP, Syslog, and email), as well as applications, services,
and profiles, can be shared by all virtual systems or limited to a selected virtual system.
Virtual router(s), security zone(s) and VLAN(s) can be defined before creating the vsys or can
be added in a later stage by specifying the vsys when the resource is created.
Before configuring virtual systems, they will need to be activated. Activation is done under the
device tab from the Setup > Management tab > General settings page. Once the virtual systems
feature is enabled, ‘virtual systems’ and ‘shared gateway’ menu items become available in the left
tree menu under the device tab. A minimum amount of information is required to begin
configuring the first virtual system. Note that vsys1 is the default virtual system which is always
present.
Virtual system resources can be limited per vsys through the ‘Resource’ tab.
Sessions Limit—Maximum number of sessions allowed for this virtual system.
Security Rules—Maximum number of security rules allowed for this virtual system.
NAT Rules—Maximum number of NAT rules allowed for this virtual system.
Decryption Rules—Maximum number decryption rules allowed for this virtual system.
QoS Rules—Maximum number of QoS rules allowed for this virtual system.
Application Override Rules—Maximum number of application override rules allowed for this
virtual system.
Policy-based Forwarding (PBF) Rules—Maximum number of policy-based forwarding
(PBF) rules allowed for this virtual system.
Captive Portal (CP) Rules—Maximum number of captive portal (CP) rules allowed for this
virtual system.
The next step is to add the access interfaces/method to vsys2. In this example a layer 3 interface
is added using a VLAN tag to classify the data. The trunk port can be shared by multiple virtual
systems. Using a trunk port to service multiple virtual systems is a common technique.
The dedicated virtual system administrator will only have a view of his own policy rule base.
Next step is to make the virtual systems visible to each other. Make each virtual system visible to
its counterpart using the last column In the example below we will make vsys3 visible to vsys2.
Repeat this process to make vsys2 visible to vsys3.
The next step is to create the required security zone to allow the definition of the inter-vsys
security policies. Creating a zone is done from the ‘Network’ tab in the GUI. Select ‘New zone’
from the zone-menu and create a zone of the type ‘External vsys’. In the drop-down list select the
vsys where the zone will be created for (virtual system) and select the virtual systems where the
zone will allow traffic (if a policy exists) to that vsys or multiple vsys. Note that two security
policies are required to allow inter-vsys communication (one permitting outgoing traffic which will
have an external zone as the destination and another permitting incoming traffic which will have
an external zone as the source).